ROME—Italy's data protection watchdog told Google Inc. to change within 18 months the way it treats and stores users' personal data, as part of a pan-European probe that found the U.S. company in violation of European privacy policy laws.

The Rome-based Italian Data Protection Authority said in a statement that Google, the operator of the world's largest search engine, must ask users for their prior consent to use personal data and that it should make clear that this may be used for profiling and commercial purposes.

The regulator said on Monday it recognized that Google made progress in adhering to local laws but that it didn't comply fully yet in areas such as seeking prior consent in profiling for commercial purposes or how long personal data is stored.

Profiling could be used by advertisers to target individual with specific offers, boosting revenue potential.

Google must also remove data from active users, such as those with an account, within two months after it receives a request and within six months in its backup systems, it added.

European authorities have shown concern over the power that largely U.S. companies have gained over the continent's Internet economy, especially on the back of revelations from former National Security Agency contractor
Edward Snowden
that the U.S. had a secret program to monitor users. The U.K., France and Spain are among the countries that probed Google over European privacy laws.

On Monday, the Italian regulator also said that it was awaiting clarifications before applying the ruling from the European Court of Justice for the so-called new "right to be forgotten" ruling.

In May, Europe's top court reached a landmark decision ordering search engines such as Google to respond to individuals' requests to remove old or personal information about them from search results for their own names.

However, as part of free-speech principles, the court also instructed the search engines to balance the new right against a public interest in the information being removed.